In this article

Azure Disk Encryption for IaaS VMs

12/07/2018

9 minutes to read

Contributors

In this article

Microsoft Azure is committed to ensuring your data privacy and data sovereignty. Azure enables you to control your Azure-hosted data through a range of advanced technologies to encrypt, control and manage encryption keys, and control and audit access of data. This control provides Azure customers with the flexibility to choose the solution that best meets their business needs. This article introduces you to a technology solution: "Azure Disk Encryption for Windows and Linux IaaS virtual machines (VMs)." This technology helps protect and safeguard your data to meet your organizational security and compliance commitments.

Overview

Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS VM disks. Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets. The solution also ensures that all data on the VM disks are encrypted at rest in your Azure storage.

Disk Encryption for Windows and Linux IaaS VMs is in General Availability in all Azure public regions and Azure Government regions for Standard VMs and VMs with Azure Premium Storage. When you apply the Disk Encryption management solution, you can satisfy the following business needs:

IaaS VMs are secured at rest by using industry-standard encryption technology to address organizational security and compliance requirements.

IaaS VMs boot under customer-controlled keys and policies. You can audit their usage in your key vault.

If you use Azure Security Center, you're alerted if you have VMs that aren't encrypted. The alerts show as High Severity and the recommendation is to encrypt these VMs.

For the customer-encrypted VHD scenario, upload the encrypted VHD to your storage account and the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM.

For new VMs that are created from the Marketplace and existing VMs that already run in Azure, provide the encryption configuration to enable encryption on the IaaS VM.

Grant access to the Azure platform to read the encryption key material (BitLocker encryption keys for Windows systems and Passphrase for Linux) from your key vault to enable encryption on the IaaS VM.

Azure updates the VM service model with encryption and the key vault configuration, and sets up your encrypted VM.

Decryption workflow

To disable disk encryption for IaaS VMs, complete the following high-level steps:

Choose to disable encryption (decryption) on a running IaaS VM in Azure and specify the decryption configuration. You can disable via the Azure Disk Encryption Resource Manager template, PowerShell cmdlets, or the Azure CLI.

This step disables encryption of the OS or the data volume or both on the running Windows IaaS VM. As mentioned in the previous section, disabling OS disk encryption for Linux isn't supported. The decryption step is allowed only for data drives on Linux VMs as long as the OS disk isn't encrypted.

Azure updates the VM service model and the IaaS VM is marked as decrypted. The contents of the VM are no longer encrypted at rest.

Encryption workflow (previous release)

The new release of Azure Disk Encryption eliminates the requirement to provide an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. With the new release, you're no longer required to provide an Azure AD credential during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters when you use the new release. VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the Azure AD syntax. To enable disk encryption for Windows and Linux VMs (previous release), do the following steps:

For the customer-encrypted VHD scenario, upload the encrypted VHD to your storage account and the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM.

For new VMs that are created from the Marketplace and existing VMs that already run in Azure, provide the encryption configuration to enable encryption on the IaaS VM.

Grant access to the Azure platform to read the encryption key material (BitLocker encryption keys for Windows systems and Passphrase for Linux) from your key vault to enable encryption on the IaaS VM.

Provide the Azure AD application identity to write the encryption key material to your key vault. This step enables encryption on the IaaS VM for the scenarios mentioned in step 2.

Azure updates the VM service model with encryption and the key vault configuration, and sets up your encrypted VM.

Terminology

The following table defines some of the common terms that are used in this technology:

Terminology

Definition

Azure AD

An Azure AD account is used to authenticate, store, and retrieve secrets from a key vault.

Azure Key Vault

Key Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS) validated hardware security modules. These standards help to safeguard your cryptographic keys and sensitive secrets. For more information, see the Azure Key Vault documentation.

Key encryption key (KEK) is the asymmetric key (RSA 2048) that you can use to protect or wrap the secret. You can provide a hardware security module (HSM)-protected key or software-protected key. For more information, see the Azure Key Vault documentation.